Current events

[Fluffyumpkins]

This post brought to you by Facebook's 'Trending' section. 'Trending' is your source for celebrity gossip and pathos driven headlines. Don't delay, waste time today!

[Merk]

It's a copycat world out there, gobba keep up with the Twitters!

[Merk]

[Merk]

Indianapolis is going to have a new area code in addition to 317 and 765 (for the outer areas of the city) which they have now since we're projected to run out of numbers in 2017. We don't know what the area code number is going to be exactly but it should be figured out in May or so. I know that it definitely won't be these numbers: http://www.nanpa.com/enas/plannedNpasNo ... eReport.do

If you clicked that link, you may notice that the 812 is getting another area code overlay, 930. If you own an 812 number you may have already received a notice but come this September mandatory 10-digit dialing will be required for everyone with an 812 area code phone.

This is my life.

[Ho]

At least it's an overlay and not a split.

[Merk]

Yeah I was like 10 years old when 219 was split and Fort Wayne became 260 but I'm positive that people were pissed and phone providers had to put a lot of work in re-writing their number translations.

Every area code change these days is going to be an overlay since there's so much pressure from businesses to keep their number the same at all costs, hence why we have stuff like number portability.

[Fluffyumpkins]

http://www.npr.org/blogs/thesalt/2014/0 ... -your-diet

I recommend against reading the comments below the article unless you believe anecdotal evidence is the best evidence.

[Fluffyumpkins]

NPR talking about Twitch.
http://www.npr.org/blogs/alltechconside ... ame-player

It may not surprise you that Netflix uses more bandwidth at peak hours than any other company, followed by Google and Apple. Number four on the list, though, is Twitch.tv.

[Merk]

If I use Firefox does that mean I hate gays? Better question, if I use JavaScript does that mean I hate gays?

[Fluffyumpkins]

If I use Firefox does that mean I hate gays? Better question, if I use JavaScript does that mean I hate gays?

A core tenant of internet activism is to never actually inconvenience yourself.

[Merk]

Do I hate gays through via actions? Specifically, do I hate gays because of my use of JavaScript?

[Fluffyumpkins]

Do I hate gays through via actions? Specifically, do I hate gays because of my use of JavaScript?

Yes. You are supporting an institution founded on hate. #boycottmerk

[DAVE101]

Boo area codes

[Merk]

Looks like there's a bug in the encryption of the latest iteration of OpenSSL that allows you to read data after it has been encrypted. Here's a neat little app that will allow you to test to see if your favorite websites are secure:

http://filippo.io/Heartbleed/

After about 5 minutes of putting in websites the only one I was able to successfully generate a vulnerability for was Yahoo.com. IndyDDR.com doesn't use https:// so it looks like we're good guys woo lolololololol -- seriously though I'm pretty sure it's trivial to snag passwords from this site but thank God no one can be bothered to attack IndyDDR so we literally have security through obscurity.

Time to buy some VeriSign stock because boy howdy that's a lot of new cert orders they're about to get.

[MonMotha]

It's actually worse than that. It allows you to read arbitrary memory of the TLS server's process. Among other things, this can leak the server's private key. If the server doesn't use PFS, this effectively discloses all data encrypted under that key for its history. If PFS is in use, you can either MITM attacks until the cert is revoked, or you can continue to snoop the process's memory space and recover the session keys using the same method as you can use to recover the private key. Of course, with the private key, you can also impersonate the peer. Anything else in the server's memory is also subject to disclosure including secrets to access backend databases, usernames and passwords (as they fly by), etc.

Fortunately, this does not, as far as I know, allow arbitrary code execution, so it's at least not a "your box is now owned" type bug. It does, however, necessitate a mass rotation of certificates. Many of the CAs have already said they may have issues since they don't have the infrastructure to revoke millions of certs at the same time. Anybody who uses certificate pinning will of course get a ton of warnings, but they are to be expected.

This unfortunately makes the semi-recent Apple and gnuTLS certificate validation bugs look like a non-issue. Those were easily fixed by simply applying the patch. This requires not only applying the patch but also rotating the PKI.

I just had a lot of fun re-generating keys and certs...